Lab 3: Trusted Artifact Signer (TAS)

Overview

Trusted Artifact Signer (TAS) provides keyless signing for container images and other software artifacts using Sigstore technologies: cosign, Fulcio, and Rekor.

In this section you will complete the TAS-focused modules from the TL3 lab, covering security best practices, attestations, and policy enforcement.

Security Best Practices (Module 7)

Complete Module 7: Getting Started with Security Best Practices in the TL3 lab.

This module covers:

  • Keyless signing technology fundamentals

  • Signing container images with cosign

  • Verifying commit signatures

  • Tracking build provenance

  • Generating SBOMs

Attestations, Tekton Chains & Enterprise Contract (Module 9)

Complete Module 9: Attestations, Tekton Chains & Enterprise Contract with TAS in the TL3 lab.

This module covers:

  • Pipeline attestations with Tekton Chains

  • Conforma (Enterprise Contract) policy configuration

  • Admission controllers using Sigstore and RHACS

  • Policy enforcement mechanisms

Summary

You have practiced signing artifacts, verifying signatures, creating attestations, and enforcing policies using TAS.

Next Steps

Proceed to Trusted Profile Analyzer (TPA) Exercises.